From Monolithic to Modular: Agile App Security in the DevOps Era

As organizations move to the cloud, one of the biggest changes we’ve seen is in the nature of the application landscape. This is the age of apps. Large companies are dealing with hundreds if not thousands of them, and nearly every enterprise is engaged in software development of some kind.

Drop a package off at the post office, and you have apps powering the scanner and scale, calculating postage, connecting with the tracking system and dozens of other things you don’t even see. Apps are facilitating your package’s journey every step of the way.

These aren’t just behemoth applications like an end-to-end CRM system. Most are smaller, lightweight widgets that carry out a specialized function — and most reside in the cloud or on the web.

When it comes to securing the application layer, this shift in landscape changes everything.

In the days when all applications ran in an internal datacenter, security strategy revolved around the company’s firewall, a huge monolithic security device that could handle every threat scenario and permutation.

Today an organization may have thousands of apps on the internet, but having thousands of monolithic security devices just isn’t practical — and in fact, it’s counterproductive because all those methodologies would be competing in their attempts to mitigate the risk.

To be efficient in this new model, you can’t have security taking up the compute resources and physical footprint it previously did. All of those bells and whistles are no longer needed.

Instead, the current challenge is to really focus on risk. The strategy must correlate appropriate security measures with what’s actually being deployed, and be much more surgical about the level of security services behind each app.

This is why we’re seeing the industry evolve from monolithic security to modular security.

Getting there requires a shift in how the security operations role works with DevOps. Under this paradigm, security architects create a template to apply appropriate security levels based on the risk involved with the app and the environment it’s being deployed in. More and more, we’re seeing these templates take the form of a catalog, where developers can select the appropriate template and apply it to the app via a wizard.

In this way, DevOps can execute the organization’s security measures without being an expert in security. All the developer must know is the level of business impact involved with the app she’s working on and which environment it will operate within. The template applies the appropriate security policies based on the business impact of the data behind the app, and the WAF or other measures are deployed in a matter of seconds with a few clicks.

Behind the scenes, security operations can change the template if the risk changes and orchestrate its distribution out to all the new apps. But the primary person pushing it is actually the developer in daily and hourly sprints.

Including security within the software development lifecycle in this way — not as a separate policy process but as a natural part of app deployment — allows the security organization to keep up with the fast-paced DevOps engine. Where before the security process slowed everything down, now it can be lightweight and keep up with the explosion of apps we’re seeing today.

This approach marries the knowledge of the security pro with that of the developer to create a greatly improved security scenario in which both can leverage their expertise.

Ultimately this shift is all about bringing app security in to the modern era, where we can be much more surgical in tying security measures to the specific risk involved with each app. Traditionally, we’ve been focused on deploying a monolithic system to cover every possible vulnerability. There’s never been time to understand each risk because the attack surface was so massive. But today we can finally have the highly targeted, modular security the industry has always needed.

With templates and agile application security working closely with DevOps, the security team can be much more systematic in understanding the risk that accompanies each app in each environment. And they can achieve economies of scale by using the software development process to deploy security measures.

As this “SecOps” model continues to evolve, security operations will be virtually infused into the DevOps process, giving everyone better security overall.

Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.